Well, after a lengthy break involving a trip to Scotland, we are back in business! I also learned that I don’t remember as much about VMware troubleshooting as I used to when I encountered a failed vCenter server, but that is a story for another time.
In this post we will be installing a couple bits of supporting software. Metallb is a load balancer which will allow us to give out a block of IP addresses to K8S services, which can be a fairly easy way to interact with kubernetes services. Cert-manager is a bit of software that will allow us to create SSL certificates through let’s encrypt.
MetalLB
There are a couple of things that are worth getting familiar with. First, be comfortable with a text editor. I will be posted a number of files that you will need to copy and modify. Second, I would learn a little about git. I have a repository that you can feel free to clone here.
To install Metallb, we will first install the manifest.
kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.13.4/config/manifests/metallb-native.yamlNote the static URL above, it may be worth heading over to https://metallb.universe.tf/installation/ for updated instructions.
Next, we need to configure MetalLB by editing the following file:
apiVersionmetallb.io/v1beta1kindIPAddressPoolmetadata namefirst-pool namespacemetallb-systemspec addresses192.168.0.221 - 192.168.0.229---apiVersionmetallb.io/v1beta1kindL2Advertisementmetadata nameexample namespacemetallb-systemEdit the above and change the addresses. The binding is handled by the L2Advertisement. Because the is not a selector that calls out first-pool, all of them are used. Obviously, your addresses should be in the same subnet as your K8s nodes. You can apply the config with:
kubectl apply -f metallb-config.yamlThat’s it, on to cert-manager.
Cert-Manager
the cert manager installation is best done with helm. Helm similar to a package manager for kubernetes. Installation is rather straight forward on Ubuntu. Of course snap seems to be a rather hated tool, but it does make things easy:
sudo snap install helm --classicAnd the installation of cert-manager can be done with:
helm repo add jetstack https://charts.jetstack.iohelm repo updatehelm install \ cert-manager jetstack/cert-manager \ --namespace cert-manager \ --create-namespace \ --set installCRDs=trueThat’s it! Now we just need to configure it. Configurations will be handled with certificate issuers, which simply tell cert-manager how to generate a certificates. Don’t worry about the specific network plumbing just yet (we will cover that in the next post). I use 3 issuers: prod (let’s encrypt), staging, and self-signed. Take a look at the following and edit as needed:
apiVersioncert-manager.io/v1kindClusterIssuermetadata nameletsencrypt-prod namespacecert-managerspec acme # The ACME server URL serverhttps//acme-v02.api.letsencrypt.org/directory # Email address used for ACME registration emailchris@ccrow.org # Name of a secret used to store the ACME account private key privateKeySecretRef nameletsencrypt-prod # Enable the HTTP-01 challenge provider solvershttp01 ingress classnginx---apiVersioncert-manager.io/v1kindClusterIssuermetadata nameletsencrypt-staging namespacecert-managerspec acme # The ACME server URL serverhttps//acme-staging-v02.api.letsencrypt.org/directory # Email address used for ACME registration emailchris@ccrow.org # Name of a secret used to store the ACME account private key privateKeySecretRef nameletsencrypt-staging # Enable the HTTP-01 challenge provider solvershttp01 ingress classnginx---apiVersioncert-manager.io/v1kindClusterIssuermetadata nameselfsigned-cluster-issuerspec selfSignedThe emails above should be changed. It is also worth noting that I have combined 3 different manifests by separating them with ‘—‘ . You can apply the config with:
kubectl apply -f cert-issuer.yamlThat will do it! We are ready to move on to configuring our first service.